4 Little Known Ways to Achieve Better WordPress Security

Every WordPress site owner should be concerned with making their WordPress security as “locked down” as possible. For starters, it’s important in this quest for better WordPress security to make sure you have weighed the two sides of the security equation: Security vs. Usability.

A site can have ultimate security but be unusable for any visitor on one side of the equation, and useable but have no security on the other side. WordPress site owners need to balance this two sides.

While it is true that strong passwords and proper permissions on a WordPress site can help provide good security there are a few little known methods of enhancing your WordPress security, while maintaining both sides of the security vs. usability equation.

1. Strengthen WordPress Security by Limiting Access

In the same way that stores have open and closed hours, its probably a good bet that you (the site owner) will sleep at some time. And if you are sleeping, why should anyone have access to the WordPress Admin area during that time?

The iThemes Security plugin provides the ability to “close” your WordPress Admin section and make it inaccessible during set times. From the Settings page, visit the Away Mode section to activate.

2. WordPress Security Doesn’t Require You to Reinvent the Wheel

Internet security and the resources surrounding this professional field provide a field of opportunity. Just because you are on a WordPress site doesn’t mean you can’t take advantage of numerous resources that security professionals across the internet have been utilizing. One such resource is the continually curated list of known “bad actors”/bots/IP address that have earned the reputation of being blocked.

3. Eliminate Any User or Bot Attempting to Do Your Website Harm

While it may be a difficult task trying to ascertain whether or not a user or a bot actually means your WordPress site harm there are a few tips that can provide better WordPress security for your site. Once tip is eliminating the username ‘admin’ from ever being used from your site. This means that if any user or bot attempts to force their way into your WordPress site using the username ‘admin’ that user or that bot will be automatically blacklisted.

There is zero reason for any WordPress site to be using a user account with the username of ‘admin’. Many years ago, by default, WordPress generated an administrator account during installation with the username of ‘admin’ and ever since that time bots and humans have been using that username to attempt to hack into WordPress sites.

Visit the Settings page in the iThemes Security plugin. Visit the Brute Force Protection section and click Enable Brute Force protection. Check the box to activate Immediately ban a host that attempts to login using the “admin” username.

4. Close New Security Holes in WordPress

Recently it was discovered that a major security vulnerability existed in the XML-RPC protocol in WordPress. This is the protocol that allows plugins like JetPack to function with outside sources and even allows Desktop/Mobile apps to communicate with your WordPress site.

The vulnerability is that when XML-RPC is enabled on your WordPress site, someone could attempt an infinite number of login attempts that could brute-force your passwords. (This is possible even if you have “brute force protection”.)

If you don’t have a reason to use XML-RPC for your WordPress site, the best way to secure your WordPress site from any type of attack from this protocol is to completely disable XML-RPC.

iThemes Security provides a very simple fix for those WordPress site owners that still need to use XML-RPC that will eliminate the ability for outsiders to use multiple attempts to login at the same time. From the Settings page, visit the WordPress Tweaks section. In the Multiple Authentication Attempts per XML-RPC Request section, select Block (recommended).